Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Whole Drive Encryption - Dual Boot

  1. #1
    Member
    Join Date
    May 2007
    Posts
    202

    Default Whole Drive Encryption - Dual Boot

    Afternoon,

    I've a requirement to encrypt the whole harddrive of a laptop which is dual-booting Ubuntu and Linux.

    Ideally it should request some sort of athentication (preferably two factor: token and password) at boot, and then (if authentication is successful) present me with the standard boot menu (lilo, grub, whatever) so that I can choose my OS.

    Ideally I'd like to be able to manage it from within Linux as that will be my primary OS, but if it must be managed from within Windows then that's not too much of a trauma.....maybe.....

    Anybody got any thoughts?

  2. #2
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    http://www.truecrypt.org/
    http://www.pgp.com/products/wholediskencryption/

    EDIT: TrueCrypt does not support encrypting your boot partition:

    From the TrueCrypt site:
    Q: Is it possible to encrypt my operating system boot partition?

    A: No, TrueCrypt does not allow this. However, there are ways to ensure that the volume where operating system resides is read-only, which should prevent information leakage (registry, temporary files, etc., are stored in RAM) and make it impossible for an adversary to install a Trojan horse on the system. One of the ways is using BartPE. BartPE stands for "Bart's Preinstalled Environment", which is essentially the Windows operating system prepared in a way that it can be entirely stored on and booted from a CD/DVD (registry, temporary files, etc., are stored in RAM - hard disk is not used at all and does not even have to be present). The freeware Bart's PE Builder can transform a Windows XP installation CD into BartPE.
    If you use TrueCrypt 3.1 or later, you do not even need any TrueCrypt plug-in for BartPE. You can simply run TrueCrypt in 'traveller' mode under the BartPE system from a BartPE disk itself or from any other location where the TrueCrypt system files (i.e., 'TrueCrypt.exe', 'TrueCrypt.sys', etc.) are stored. The type of the CD or DVD on which you store BartPE should be "write once, read many" (for example CD-R), because rewritable disk types (such as CD-RW) might allow an adversary to alter the contents of the disk.
    It might be possible make a small boot partition with just the kernel, truecrypt, and truecrypt's dependencies which could then decrypt your root partition at boot time...

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I've used TrueCrypt before though not as you describe. I've used it for USB devices and been very happy with it.

    For the scenario you describe I've only had experience with Winmagic/SecureDocs which did a wonderful job.

  4. #4
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default encryption

    The most effective whole disk encryption is through using OpenBSD instead of Linux, (but a similar state can be achieved under Linux with care).

    The whole disk should be filled with random (gosh that takes forever on a big disk - maybe allow a week - no joke) or with zeroes.

    That act alone will present any enquirer with information that indicates that the whole disk is full.

    The use of lilo or grub will defeat your purpose I guess. It is more effective to use a startup USB stick which carries its own key. A CD can sometimes be used if the system does not activate USB at boot.

    The key should be a very lengthy passphrase encrypted with Blowfish or similar at maximum length. (At least 4096 preferably more.) It will be nearly impossible for you to repeat the key and so it should be stored on the USB stick in encrypted form.

    The USB stick will enable you to start your preferred OS.

    Bear in mind that SWAP might leak and certainly userland programs and data will be processed in the clear during use.

    The system should be configured so that so that it only starts from the USB stick. You should remove it whenever the machine is under threat or when out of reach. Turning off the machine by powering down therefore renders it in a useless state.

    There are consequences for backing up data. It is possible to encrypt CDs to contain backup data but not entirely satisfactory. It will always have to be processed in the clear.

    Watch out for DNS leaks and web use.

    Never lose your USB stick. Leave a copy in a safe. Without the USB stick the system is nothing. Plausible denial is difficult. This is not atrivial pursuit but highly enjoyable.

    Other ideas mentioned here may be valid and workable but at a significantly less secure state. I cannot verify them as I have not used them.

    Best of luck. Not a nothing!
    Lux sit

  5. #5
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    You might want to take a look at this: http://tldp.org/HOWTO/html_single/Di...ryption-HOWTO/

    The only caveat is the key needs to be stored on a removable medium(i.e USB Drive)


    E

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I would strongly suggest that you read this before you decide to use PGP whole disk encryption.

  7. #7
    Senior Member PrairieFire's Avatar
    Join Date
    Apr 2007
    Posts
    705

    Default

    Quote Originally Posted by thorin View Post
    I would strongly suggest that you read this before you decide to use PGP whole disk encryption.
    PGP Whole Disk Encryption - Barely Acknowledged Intentional Backdoor

    Popular whole disk encryption vendor, PGP Corporation, has a remote support “feature” which allows unattended reboots, fully-bypassing the decryption boot process. The feature, which until recently was not documented (customer accessible only) in most support manuals, allows a user who knows a boot passphrase to add a static password (hexadecimal x01) that the boot software knows. If this flag is set, the boot process does not interrogate a user. It simply starts the operating system. The feature can be accessed via the command line (ignore line wrap)
    You have to set this bypass up it is not created automatically.. Also some of my passphrases are over 65 Characters long so good luck shoulder surfing...
    Μολὼν λαβέ - Great spirits encounter heavy opposition from mediocre minds.

  8. #8
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    and the worst, if i remember well is that pgp creator , zimmermann, was forced to disclose algorythm & methods used in pgp for whole encryption.....

    i remember it's because of the law for cryptographic software in USA, but maybe one us citizen can precise this....

    maybe it's only my brain which is too fuzzed by MJ but pgp is dead for me !
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  9. #9
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default yes

    Yes there were/are many allegations concerning the presence of a backdoor.

    There are also US export restrictions...which is one reason why the OpenBSD/OpenSSH team have moved to Canada.

    My first reply in this thread still stands as my advice.

    GPG is an alternative to PGP if required. I use GPG for my emails.
    Lux sit

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    @ PrairieFire

    I wasn't meaning to make it sound like the end of the world for PGP, I just wanted ppl to be aware of it.

    @ blackfoot
    I also recently started using GPG for encrypted email/attachments. So far I'm pretty happy with it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •